Thursday, December 20, 2012

EU to propose mandatory reporting of cyber incidents | EurActiv

The European Union may force companies operating critical infrastructure in areas such as banking, energy and stock exchanges to report major online attacks and reveal security breaches, according to a draft report by the European Commission.

The European Commission is due to present a proposal on cybersecurity in February once it has received feedback from the European Parliament and EU countries.
The proposal was initially announced in May for the third quarter this year but has been delayed.

EU moves to protect critical infrastructure echo similar concerns worldwide amid an increasing number of cyber attacks globally that can disrupt important areas of the economy, from online banking to stock exchanges.
"Minimum security requirements should also apply to public administrations and operators of critical information infrastructure to promote a culture of risk management and ensure that the most serious incidents are reported," the report said.
Unlike the United States where companies are required to report online attacks, which supporters say forces companies into keeping cyber defences tight, the EU has a piecemeal approach.
Some countries like Britain oppose mandatory reporting, which it believes would encourage companies to cover up online breaches because they do not want to alarm their customers.
An EU official said the aim of the report was to get companies to be more open about cyber attacks and help them fend off such disruption.
"We want to change the culture around cyber security from one where people are sometimes afraid or ashamed to admit a problem, to one where authorities and network owners are better able to work together to maximise security," the official said.
European companies in critical areas of the economy "lack effective incentives to provide reliable data on the existence or impact" of network security incidents, the report said.
Companies fear that revealing their vulnerability could cost them customers, but authorities are eager for increased transparency to try and shut down methods hackers use to exploit networks before they can do widespread damage.
"Cyber security incidents are increasing at an alarming pace and could disrupt the supply of essential services we take for granted such as water, sanitation, electricity, or mobile networks," the report said.
The EU proposal would require companies in critical infrastructure areas to conduct risk assessments and work with national authorities to ensure a minimum standard across the 27-country bloc.
Inconsistent measures on cyber security also carry an economic cost. In 2012, 38% of the EU's internet users say they were concerned about making payments online, an EU poll showed.

COMMENTS

ALL companies that process citizens' personal details should be required to disclose breaches immediately. Is it not unethical to prioritise and privilege companies' concerns abou the impact on their market share over the privacy, dignity and personal security of citizens?

Back in 2004/5 I did a report on Critical Infrastructure one part of it looked at CERTs (Computer Emergency Response Teams) which are supposed to respond to “cyber attacks”. Telcos and other large organisations have them, as do banks. Think of a CERT as a “fire-brigade” – external (professional ones) and internal ones. There are also private CERTS.
I spoke to an external private “CERT”. They specialised in banks and were a fund of entertaining stories of what goes wrong. One massive German bank suffered a serious DDOS attack and were unable to handle it (despite the bank having thrown considerable amounts of money at their internal CERT). So the bank CERT called in the real experts – who cracked the problem in short order (or so the external CERT claimed). Here’s the kicker, the internal CERT did not tell anybody (e.g. the main board) that they had to pull in outside help – and pretended that they cracked the problem themselves – which in a sense they did. If the internal CERT is a bit coy telling upper management of a problem (despite a requirement to do so) – why would they tell anybody else. The private CERT claimed the problem was endemic.
In the case of “real” critical infrastructure, such as control of power transmission networks – back in 2005 there were few problems. Generally speaking these were run on wholly private networks. However, as one UK guy noted, “the suits want more information” i.e. non-engineering managerial types want more systems operation data. This can lead to openings in systems that were previously wholly closed to “the Internet”.
The UK, as usual is talking bollocks. They already have a confidential/invitation only group (of utilities) which meets on a regular basis (attendance is obligatory) to exchange info on attacks etc.
Basically it comes down to this: keep customer facing systems (the retail operation as it were) wholly separate from network operation systems unless you want entertainment of the sort you will regret later. This is not hard to do – but usually costs a bit more – which means that the suits in the interests of economy will probably try and converge the two systems. So when the lights go off or the gas fails – you know who to blame – some half wit in a suit who thought he could save money for his utility.